PacerCMS is a content management solution for student and non-daily
community newspapers.

- Details

PacerCMS is susceptible to both persistent cross-site scripting and
SQL injection attacks. An attacker could use the public
'Write a Letter'(submit.php) form to send a message to the System
Administrator or staff member containing Javascript. The name,
headline, or text POST variables are not sufficiently sanitized.

The system administrator of the CMS sees a list of submitted
messages on siteadmin/index.php right after logging in. If an
attacker sends a message containing Javascript in the name or
headline then the code will be run as soon as the admin logs in.
This could lead to a staff member's session being hijacked.

Multiple siteadmin pages are vulnerable to SQL injection. Access to
these pages are restricted to staff members.